Mac worm rumors swirl; Dai Zovi ships unofficial Mac OS X patch

Summary:Amidst unconfirmed rumors that anonymous hackers have created a worm that exploits an unpatched code execution flaw in Mac OS X (Intel), a team of researchers have come up with a way to completely disable a buggy portion of the Mac code base.

Amidst unconfirmed rumors that anonymous hackers have created a worm that exploits an unpatched code execution flaw in Mac OS X (Intel), a team of researchers have come up with a way to completely disable a buggy portion of the Mac code base.

Led by Mac security guru Dino Dai Zovi (of CanSecWest MacBook hijack fame), the researchers have created a third-party patch that removes the uPNP code from within mDNSResponder, the Bonjour system service that implements Multicast DNS Service Discovery for discovery of services on the local network.

Davi Zovi worked with his former employers at Matasano Security on the patch after looking at the worm claim and the recent mDNSResponder patch (and Bonjour exploit) affecting that portion of the Mac OS X code.

[ SEE: Ten questions for MacBook hacker Dina Dai Zovi ]

"If I were to guess about the vulnerability linked to the worm claim, I'd say it's in uPNP. I won't be surprised if there are others looking hard at that piece of code to find holes," Dai Zovi said in a telephone interview.

The patch, which is buyer-beware (and unsupported), does not fix a specific vulnerability. Instead, it removes the LegacyNATTraversal code from mDNSResponder. Hackers consider mDNSResponder the primary client -> server attack surface on Mac OS X.

Matasano president Dave Goldsmith, a former @Stake researcher who has found/reported numerous Mac OS X vulnerabilities over the years, said that portion of the code contains lots of unbounded memory copies and a history of overflows and memory smashing bugs.

"This patch will hopefully prevent a certain code path from getting executed. No one knows for sure if there's a vulnerability there but we think this (patch) could potentially stop some bad code from getting called," Goldsmith said by telephone.

"The LegacyNATTraversal code is 1994-style C code," Goldsmith said. "[There are known bad programming practices lurking in that particular file."

On Matasano's blog, Goldsmith warns that the patch is buyer-beware.

Standard disclaimers about this patch apply (including: may do nothing, may protection you form current/future vulns, may cause mDNSresponder to not work, may break support contracts). Also, this patch is unsupported, which is why I didn’t give step by step instructions on how to apply it.

In any event, Dai Zovi said the patch isn't for non-technical Mac users. "There's an opportunity for someone to make it more user-friendly but, right now, it's not something the average user can use," he said.

His advice to Apple: Rewrite the entire uPNP code base.

"It's a feature that's there for a reason but that entire bit of code needs to be rewritten. There are too many (potential) dangers there," he added.

Topics: Apple, Hardware, Operating Systems, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.